1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152
|
package signerverifier
import (
"crypto/sha256"
"crypto/x509"
"encoding/hex"
"encoding/json"
"encoding/pem"
"errors"
"hash"
"testing"
"github.com/secure-systems-lab/go-securesystemslib/cjson"
)
/*
Credits: Parts of this file were originally authored for in-toto-golang.
*/
var (
// ErrNoPEMBlock gets triggered when there is no PEM block in the provided file
ErrNoPEMBlock = errors.New("failed to decode the data as PEM block (are you sure this is a pem file?)")
// ErrFailedPEMParsing gets returned when PKCS1, PKCS8 or PKIX key parsing fails
ErrFailedPEMParsing = errors.New("failed parsing the PEM block: unsupported PEM type")
)
// LoadKeyFromSSLibBytes returns a pointer to a Key instance created from the
// contents of the bytes. The key contents are expected to be in the custom
// securesystemslib format.
//
// Deprecated: use LoadKey() for all key types, RSA is no longer the only key
// that uses PEM serialization.
func LoadKeyFromSSLibBytes(contents []byte) (*SSLibKey, error) {
var key *SSLibKey
if err := json.Unmarshal(contents, &key); err != nil {
return LoadRSAPSSKeyFromBytes(contents)
}
if len(key.KeyID) == 0 {
keyID, err := calculateKeyID(key)
if err != nil {
return nil, err
}
key.KeyID = keyID
}
return key, nil
}
func calculateKeyID(k *SSLibKey) (string, error) {
key := map[string]any{
"keytype": k.KeyType,
"scheme": k.Scheme,
"keyid_hash_algorithms": k.KeyIDHashAlgorithms,
"keyval": map[string]string{
"public": k.KeyVal.Public,
},
}
canonical, err := cjson.EncodeCanonical(key)
if err != nil {
return "", err
}
digest := sha256.Sum256(canonical)
return hex.EncodeToString(digest[:]), nil
}
/*
generatePEMBlock creates a PEM block from scratch via the keyBytes and the pemType.
If successful it returns a PEM block as []byte slice. This function should always
succeed, if keyBytes is empty the PEM block will have an empty byte block.
Therefore only header and footer will exist.
*/
func generatePEMBlock(keyBytes []byte, pemType string) []byte {
// construct PEM block
pemBlock := &pem.Block{
Type: pemType,
Headers: nil,
Bytes: keyBytes,
}
return pem.EncodeToMemory(pemBlock)
}
/*
decodeAndParsePEM receives potential PEM bytes decodes them via pem.Decode
and pushes them to parseKey. If any error occurs during this process,
the function will return nil and an error (either ErrFailedPEMParsing
or ErrNoPEMBlock). On success it will return the decoded pemData, the
key object interface and nil as error. We need the decoded pemData,
because LoadKey relies on decoded pemData for operating system
interoperability.
*/
func decodeAndParsePEM(pemBytes []byte) (*pem.Block, any, error) {
// pem.Decode returns the parsed pem block and a rest.
// The rest is everything, that could not be parsed as PEM block.
// Therefore we can drop this via using the blank identifier "_"
data, _ := pem.Decode(pemBytes)
if data == nil {
return nil, nil, ErrNoPEMBlock
}
// Try to load private key, if this fails try to load
// key as public key
key, err := parsePEMKey(data.Bytes)
if err != nil {
return nil, nil, err
}
return data, key, nil
}
/*
parseKey tries to parse a PEM []byte slice. Using the following standards
in the given order:
- PKCS8
- PKCS1
- PKIX
On success it returns the parsed key and nil.
On failure it returns nil and the error ErrFailedPEMParsing
*/
func parsePEMKey(data []byte) (any, error) {
key, err := x509.ParsePKCS8PrivateKey(data)
if err == nil {
return key, nil
}
key, err = x509.ParsePKCS1PrivateKey(data)
if err == nil {
return key, nil
}
key, err = x509.ParsePKIXPublicKey(data)
if err == nil {
return key, nil
}
key, err = x509.ParseECPrivateKey(data)
if err == nil {
return key, nil
}
return nil, ErrFailedPEMParsing
}
func hashBeforeSigning(data []byte, h hash.Hash) []byte {
h.Write(data)
return h.Sum(nil)
}
func hexDecode(t *testing.T, data string) []byte {
t.Helper()
b, err := hex.DecodeString(data)
if err != nil {
t.Fatal(err)
}
return b
}
|